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in 
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15 



What is claimed is: 

A method for certificate generation comprising the 
steps of: 

forwarding a request^ from a first node to a second 
node to generate a certificate, wherein said request 
includes a first identfl.fier that identifies the first 
node; and / 

in response to receipt of the request at the second 

/rtif i( 



node, generating a cert 
identifier . 



,cate that includes said first 



2 . The method of ^claim 1 wherein said request further 
includes a second identifier that identifies a principal. 



20 



3. The method of claim 2 wherein said certificate 
further includes / a public key associated with said 
principal, and sai/d second identifier. 



4 . The method of claim 1 further including the step of 
authenticating said certificate by said second node. 



25 5. The method of claim 4 wherein said step of 

/ 

authenticating /said certificate comprises the step of 
generating a cejrtificate digitally signed by said second 
node . 
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6. The method of claim/ 5 wherein said step of 
generating said certificate/ signed by said second node, 
comprises the step of generating a certificate digitally 
signed by said second node using a private key of a 
public private key pair associated with said second node. 

7. The method of claim 1 wherein said certificate 
further includes a tlmej stamp that identifies a time 
associated with the request. 



8 . The method of claim 1 further including the step of 
authenticating said request by said first node. 



9. The method of / claim 8 wherein said step of 
15 authenticating said request by said first node comprises 

the step of digitally/ signing said request. 



10. The method of claim 9 wherein said step of digitally 
signing said request comprises the step of digitally 
20 signing said request using a private key of a 

public/private key pair associated with said first node. 



11. The method of claim 1 wherein said certificate 

further includes a time stamp that is associated with a 

25 time and date wln/en said request was received by said 
second node. 



12. A method /for determining whether access to a 
resource should /be provided to a principal in response to 
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a request for access to t/ne resource by the principal 
comprising the steps of: 

receiving said request for access to said resource 
from said principal at a |sGrver; 
5 verifying the authenticity of said request using a 

key contained within a certificate associated with said 
principal ; 

determining whether a registration authority 
identifier within said^ certificate corresponds to a 

10 registration identifier contained on a certificate 

revocation list, wherein said registration authority 
identifier is associated with a registration authority 
that requested a certification authority to generate said 
certificate; and j 

15 providing an indication to said server that said 

certificate has been/ revoked and denying access of said 
principal to said resource in response to a determination 
that said registration authority identifier within said 
certificate corresponds to a registration authority 

20 identifier on said certificate revocation list. 



13. The method of /claim 12 wherein said determining step 
further comprises the step of determining whether a time 
stamp contained within said certificate that specifies a 

25 time of receipt |of a request from said registration 

authority to the certification authority to generate the 
certificate corresponds to a period identified on said 
certificate revocation list during which the respective 
registration authority is indicated to be untrustworthy; 

30 and 
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said providing step comprises the step of providing 
said indication to said server that said certificate has 
been revoked and denying adcess of said principal to said 



resource in response to 



determination that said 



registration authority identifier within said certificate 
corresponds to said regisf 



^ration authority identifier on 
said certificate revocation list and said time stamp 
within said certificate corresponds to a time within said 



period identified on saiid certificate revocation list 
10 during which said registijation authority was indicated to 

be untrustworthy. 



14 . The method of claim 13 wherein said period has a 

I 

beginning point and an assumed ending point, said 
15 beginning point being specified by a time value contained 

within said certificate' revocation list and the assumed 
ending point corresponds to a present time value. 



15. The method of cl 
20 beginning point and an 

being specified by a 
point corresponds to a 



lim 13 wherein said period has a 
ending point, said beginning point 
first time value and the ending 
second time value. 



25 



16. The method of cl'aim 12 wherein said verifying and 
determining steps are performed by said server. 



17. A certification authority comprising: 

a memory containing a computer program for 
generating said certificate; and 
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a processor operative to execute said computer 
program, said computer program containing program code 
for: 

a request from a registration 
certificate; and 



receiving 
authority to issue sai 



in response to receipt of said request, 
generating said certificate that includes at least 
a registration authority identifier associated with 
said registration authority. 



18. The certification authority of claim 17 wherein said 

1 

request to issue said certificate is an authenticated 

I 

request and said computer program further includes 
program code for verifyinlg said authenticated request. 

19. The certification authority of claim 17 wherein said 
certificate generated by said computer program further 



includes a principal 



identifier associated with 



principal and a key associated with said principal. 

20. The certification authority of claim 17 wherein said 
computer program further includes program code for 
storing within said certificate a time stamp associated 
with a time when said certification authority received 
said request from said registration authority. 



21. A system for determining whether access to a 
resource should be provided to a principal in response to. 
a request for access to the resource by the principal 
comprising : 
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a first server operative to receive a request for 
access to said resource from said principal, said first 
server being operative to vefrify the authenticity of said 



request using a key cont 



ained within 



includes at least a regis 
associated with a registra 



certificate 



associated with said principal, wherein said certificate 



tration authority identifier 
ion authority that issued a 



request to a certif icatic/n authority to issue said 
certificate; 

a second server . containing a certificate revocation 
list;- wherein said certifdlcate revocation list includes 
said registration authoritjy identifier in the event the 
associated registration authority has been determined to 
be untrustworthy, said second server being operative in 
response to a certificate^ revocation inquiry request to 
ascertain whether said / certificate revocation list 
contains a registration authority identifier that 
corresponds to said registration authority identifier 
within said certificate; ^Lnd 

said second server being further operative to 
provide an indication to said first server that said 
certificate has been I revoked in the event said 
certificate revocation /list contains said registration 
authority identifier I that corresponds to said 
registration authority identifier within said 
certificate , 

22. The system of claim 21 wherein said first and second 
server comprise a single server. 
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23. The system of claim /l wherein said first server is 
further operative in r(jsponse to receipt of said 
indication that said certificate has been revoked to deny 
said principal access to said requested resource. 
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24. The system of claim 21 wherein said certificate 
further includes a time stamp associated with a time when 
said certification authority received from said 
registration authority / said request to issue said 
certificate on behalf of /said principal; and 

wherein said certi'ficate revocation list includes 
said registration authority identifier in the event the 
associated registration I authority has been determined to 
be untrustworthy and at least one value defining a time 
interval during whichj said registration authority is 
deemed to be untrustworjthy ^ 

said second server being operative in response to a 
certificate revocation inquiry request to provide a 
revocation indication if said certificate revocation list 
contains a registrajtion authority identifier that 
corresponds to said [registration authority identifier 
within said certificat-e and a time stamp associated with 
said registration authority identifier that is within 
said interval. 



25. The system of claim 23 wherein said second server 

, J 

ition 



comprises a revocai 



26. The system of 
server is further 
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claim 25 wherein said revocation 
operative in response to said 
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revocation indication tt forward a certificate revocation 
message to said first/ server that indicates that said 
certificate has been ravoked. 



27. The system of cl 
operative in respons 
message to deny said 
resource . 



^im 26 wherein said first server is 
to said certificate revocation 
rincipal access to said requested 
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28. A computer program product including a computer 
readable medium, said computer readable medium having a 



computer program 
certificate, said con 



processor and comprising: 



program code 
registration authorit 
of a principals- 
program code ope 
said request, for gen 



tor receiving a request from a 
y to issue a certificate on behalf 



:ored thereon for generating a 
puter program being executable by a 



rative in response to recognition of 
Brating by a certification authority 
a certificate authenticated by said certification 
authority wherein said certificate includes at least a 
principal identifier associated with said principal, a 
key associated with said principal for use in 
authenticating messaces generated by said principal, and 
a registration identifier associated with said 
registration authorit 



29. The computer program product of claim 2 8 wherein 
said program code for generating said certificate is 
further operative to include within said certificate a 



ATTORNEY DOCKET NO. P409e 
WEINGARTEN, SCKURGIN, 
GAGNEBIN £ HAYES LLP 
TEL. (617) 542-2290 
FAX. (617) 451-0313 



-29- 



10 



15 



20 



25 



time stamp associated Jixth a time ' receipt by said 



certification authorit;^ 
registration authority 
certificate . 



of .said request from said 
of said request to issue said 



30. A computer data signal, said computer data signal 
including a computer program for use in generating a 
certificate, said computer program comprising: 

program code for receiving a request from a 
registration authority jto issue a certificate on behalf 
of a principal; | 

program code operative in response to recognition of 
said request, for generating by a certification authority 
a certificate authekticated by said certification 
authority wherein said certificate includes at least a 



principal identifier 
key associated with 



associated with said principal, a 
said principal for use in 
authenticating messages generated by said principal, and 
a registration identifier associated with said 
registration authority. 



31. The computer data signal of claim 30 wherein said 
program code for generating said certificate is operative 



time stamp 



to include within | said certificate 
associated with a time of receipt by said certification 
authority from said registration authority of said 
request to issue said certificate. 
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32. The computer data signal of claim 30 wherein said 
computer program further includes program code for 
publishing said certificate. 
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33. The computer data signal of claim 30 wherein said 
program code for publishing said certificate includes 
program code for forwyarding said certificate to a 
directory server. 



34. An apparatus for 
Iter network comj 
means operative 



generating a certificate in a 
mg: 

response to receipt of a request 



computer network compris 

inj 

from a first node coupled to a computer network at a 



second node coupled to said network for generating at 



said second node a cert 



Lficate that includes a first node 



identifier associated with said first node. 

35. The apparatus of tlaim 34 wherein said request was 
initiated by a principal and said request includes a 
principal identifier associated with said principal and 
said certificate further includes said principal 
identifier and a public key associated with said 
principal . 

36. The apparatus of claim 34 wherein said certificate 
is authenticated by said second node. 



37. The apparatus of 
for comparing said fi 
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identifier associated with an untrustworthy node on said 
network that is containep within a certificate revocation 
list and providing an indication that said certificate is 
untrustworthy in the event said first node identifier 
matches said untrustworthy node identifier. 
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